US11301565B2 - Method and system for detecting malicious software integrated in an electronic document - Google Patents
Method and system for detecting malicious software integrated in an electronic document Download PDFInfo
- Publication number
- US11301565B2 US11301565B2 US16/471,000 US201616471000A US11301565B2 US 11301565 B2 US11301565 B2 US 11301565B2 US 201616471000 A US201616471000 A US 201616471000A US 11301565 B2 US11301565 B2 US 11301565B2
- Authority
- US
- United States
- Prior art keywords
- electronic document
- code
- vectors
- binary vector
- groups
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Definitions
- the present invention is applicable in the technical sector of computer security, and it more specifically relates to the detection of malicious software integrated in electronic documents, such as Excel spreadsheets or PDF documents, for example.
- script languages integrated in documents started for the purpose of adding additional functionalities to these documents and thus providing them with dynamic properties which allow, for example, performing actions on a set of cells in an Excel document, enabling a PDF file to be editable, or embedding multimedia objects in Word files.
- VBA Visual Basic for Applications
- Javascript Javascript
- VBA is the language used for creating macros in Office.
- files with a .doc extension created with Office before 2007 may or may not contain macros, without the user noticing any difference in their name or extension.
- Office 2007, there is a specific type of file with the .DOCM extension which means that a document contains macros and its icon includes a warning signal.
- today's Office packages are fully compatible with the .doc format, so it is still used by attackers. They also use .docm formats (to a lesser extent), as they are confident that the user will not detect the risk the extension represents.
- JavaScript which was developed for creating interactive web pages in a simple manner, can be integrated in PDF documents to give them extra functionalities, such as allowing them to be interactive, for example.
- the most common use of JavaScript in documents of this type is in the incorporation of forms in the document, which in turn translates into formatting data, calculating data, validating it, and assigning actions to given events.
- JavaScript code unlike plugins, can be embedded directly in the PDF document and distributed directly with it. Historically, JavaScript has been used by attackers for attacking vulnerabilities in PDF readers which are taken advantage of through documents in this format.
- patent document U.S. Pat. No. 7,493,658 B2 processes the source code of the macros, separating the code into comments and names of variables and of functions. It studies the frequency and distribution of characters and allows discerning whether or not it is malware.
- a method for detecting malicious software in an electronic document comprising:
- One of the embodiments of the invention contemplates executing steps a)-c) locally in user equipment and executing steps d)-f) in a remote server.
- the user can thereby preserve his privacy since the electronic document never actually leaves his equipment, only its associated vector does.
- one of the embodiments of the invention comprises storing in the database the executable code, a summary code of the electronic document, a raw code associated with the electronic document and the binary vector.
- this allows, on one hand, feeding the database with information for fine-tuning the verdicts eventually issued by the algorithms and/or an analyst, and on the other hand, conserving the electronic document duly identified by means of the summary code, without having to share the electronic document.
- comparing the binary vector with one or more groups of previously classified vectors comprises calculating a distance between the binary vector and each of the groups of previously classified vectors.
- a measurement of the degree of similarity between the associated documents is obtained.
- the classification of the binary vector in one of the groups is performed depending on a maximum group distance.
- classifying the binary vector in one of the groups of previously classified vectors further comprises updating the verdict assigned to the corresponding group.
- the metadata extracted from the electronic document comprises at least one creation date of the electronic document and/or one modification date of the electronic document.
- the verdict about the presence of malicious software assigned to each of the groups of vectors comprises detecting in the executable code a certain number and size of macros or scripts integrated in the electronic document, detecting obfuscated code, detecting gaps between the creation date of the electronic document and the creation date of the executable code, and/or detecting the presence of certain reserved words relating to one or several of the following actions: execution of files, events, file management, file downloading, and library calls.
- the present invention contemplates in one of its possible embodiments, the possibility that the verdict about the presence of malicious software assigned to each of the groups of vectors comprises a manual analysis of the database by an analyst.
- the classification and clustering services of the present invention can advantageously be trained and improved.
- the electronic document is programmed, at least in part, with a script language to be selected from Visual Basic for Applications and JavaScript.
- a second aspect of the present invention relates to a system for detecting malicious software in an electronic document, where the system comprises:
- an application programming interface configured for interconnecting the client module with the classifier module and the database is contemplated.
- system further comprises a server, where at least the database and the classifier module are housed in said server.
- the client module is configured for operating locally in user equipment.
- a computer program comprising computer executable instructions for implementing the described method when executed in a computer, a digital signal processor, an application-specific integrated circuit, a microprocessor, a microcontroller, or any other form of programmable hardware.
- Said instructions can be stored in a digital data storage medium.
- FIG. 1 shows a general diagram of the client module and the pre-processing preferably performed locally in user equipment.
- FIG. 2 shows a classifier module according to the present invention.
- FIG. 3 shows an example of clustering according to an embodiment of the invention.
- FIG. 4 shows the database according to a particular embodiment of the invention.
- FIG. 5 shows a block diagram of the present invention including an application programming interface for communicating the client modules and the rest of the system.
- the present invention is based on the study of the behavior and techniques used by attackers when they create integrated malicious software (such as macros or JavaScript) and the manner in which they operate, which is taken advantage of for detecting these malicious documents and clustering them together, preserving the privacy of the document, since is not necessary to use its content to offer a rapid response about whether said document may contain some type of malicious software.
- integrated malicious software such as macros or JavaScript
- the present invention keeps the content of the information secure and analyzes the payload, taking advantage of the particularities of the embedded malware for detecting malware with an approach that differs from conventional methods, based on parameters other than signatures or heuristics, for complementing the detection performed by general antivirus software and thus allowing a more effective identification in another layer and with other means, such as automatic learning, for example. Furthermore, it is specifically intended for preserving privacy, and therefore data from the content of the document and personal data of the user that may be inserted in metadata are not used.
- the present invention also contemplates storing the decrypted code in a server, which will be used in future detections and eventually by malware analysts.
- the document is pre-processed locally in the client equipment.
- the intelligence applied in the server only receives anonymous data (a characteristic vector) together with other data such as the hash function or (summary code) of the document and the macros it contains, which in no case allow identifying it or associating it with the original document, completely preserving its privacy.
- Said pre-processing can be seen in FIG. 1 and it is preferably performed locally in the client equipment, which starts ( 101 ) when a user who wants to analyze an electronic document delivers the desired document to a client module ( 100 ). It is analyzed whether the document contains some type of executable code ( 102 ), and if one should be detected, the metadata and characteristics of the document are extracted ( 103 ) and a binary vector is created ( 104 ).
- the extracted characteristics can be taken from the executable code embedded in the document, besides metadata of the document itself, but always avoiding the metadata of the document which may include sensitive information about the content or about the person responsible for it, so the user is certain that leakage of the private data beyond the control of the client module will never occur.
- the client module can reside in different software programs as a complement or extension. It can also be present in servers which process or forward files to be used as a proxy in, for example, file share servers, storage servers, or mail servers.
- Programs with embedded malware differ from conventional malware in some aspects, such as for example since they are programmed with a language script, they are not compiled or can be readily decompiled; they often present code obfuscation to render the malware more difficult to analyze; the useful part of the document is present in very particular part of the file structure (completely separated from the content itself); or the attackers cannot go to such low programming levels to prevent detection, so they are forced to include library calls and functions in a mode that is rather standard.
- the data extracted by the present invention may comprise, but is not limited to, the following content:
- a set of characteristics such as those referred to in a non-limiting manner above is obtained from said information and used to generate a binary vector.
- the documents are then anonymized by means of transforming them into a binary vector with the necessary characteristics which cannot be univocally associated with any document in particular.
- the client passes the document to a database housed in a server to obtain a reference thereof, but it does not allow retrieving the information contained in said document. Therefore, although the documents are anonymized, they are represented through their hash.
- FIG. 2 describes the classifier module ( 200 ) which, preferably housed in a server, obtains an input vector ( 201 ) from a client module and tries to classify it by means of a classification algorithm and cluster it with other vectors or groups of vectors, using clustering techniques.
- the vector does not have to correspond to a single specific document, thus one vector 201 may be common, for example, to a first document ( 202 ) and a second document ( 203 ).
- Using a vector and consulting the database preferably housed in the same server, makes it possible to obtain a rapid response ( 204 ), but in the event that a response is not direct, it can use a rapid classifier for determining whether or not the document contains a malicious payload.
- the executable code ( 205 ) with the metadata and hash ( 206 ) of the generated document are stored in the database described below.
- the vectors can be considered a vector fingerprint, but instead of being associated with a vector, it is associated with a set of documents which either share a vector or else the distance calculated between their vectors is less than or equal to a range established as maximum distance clustering (MDC).
- MDC maximum distance clustering
- the documents can thereby be clustered in a highly efficient manner in groups of documents or clusters of similar characteristics, as depicted by way of example in FIG. 3 .
- the clustering of documents 301 - 310 of the example with an established MDC equal to 3 results in clusters 311 - 313 .
- Cluster 311 clusters documents 301 - 303 in a single vector ( 314 ).
- Cluster 312 clusters documents 304 - 306 in two different vectors, a first vector ( 315 ) shared by documents 304 and 305 and a second vector ( 306 ) associated with document 306 which is not equal to vector 315 , but the distance between them is less than or equal to the MDC established in this case and equal to 3.
- cluster 313 clusters the vectors associated with documents 307 - 310 , where a first vector ( 317 ) is shared by documents 307 and 308 and documents 309 and 310 are associated with vectors 318 and 319 , respectively, which have a distance between them and with respect to vector 317 that is less than or equal to the MDC established in this case and equal to 3.
- the classification algorithm used in one of the embodiments of the invention comprises several machine learning algorithms which use standard techniques carried out under the supervision of the analyst.
- the classifier can use any algorithm that meets the needs at all times and any algorithm with the highest rate of success at all times.
- Said algorithms essentially use the information from the groups of vectors stored in the database for classifying which of them are susceptible or not to the documents from which they originate containing malware. From there, this information is used by the classifier, such that when the vector of the document is received from a client module, it identifies which group it would be classified in, and therefore it is rapidly and easily identified if the document associated with that vector is affected by malware, with the client module being informed.
- the database ( 400 ) depicted in FIG. 4 acts like a central repository in a server ( 401 ) and its functions include:
- the database additionally houses executable codes, summary codes of the analyzed documents, the verdicts obtained by means of the algorithms used, and the possible corrections, manually input by an analyst.
- FIG. 5 illustrates the access framework provided in an embodiment of the invention.
- the server provides an application programming interface ( 500 ) or “API” for communicating with the client modules.
- This API allows the client to interact with the rest of the system.
- the API has permission to obtain data and produce a response with a verdict about the payload present in the documents.
- the API allows users to interact with different degrees of privacy, as required by the actual user, thus, from a client (desktop) or a client (in a server processing or forwarding the document), the client module can use the API to send the complete document to server, to send the raw code, or to directly send a binary vector.
- the sent information (complete document, raw code, or vector) is processed and compared with other documents, raw code, or vectors.
- the comparison is more reliable since it is compared both with other documents and with raw code and stored vectors.
- the comparison is limited to other raw codes and vectors.
- the alternative with a higher degree of privacy involves directly providing a vector, but the comparison may only be performed with other previously stored vectors.
- a direct response can be derived, or if it cannot be classified directly, it will be clustered according to the established minimum distance in a group of vectors with similar characteristics and a response will be delivered.
Abstract
Description
-
- a) detecting an executable code in the electronic document provided to a client module;
- b) extracting, in the client module, information from the electronic document comprising the executable code and metadata of the electronic document;
- c) creating, in the client module, a binary vector associated with the electronic document based on certain characteristics obtained from the extracted information;
- d) comparing, in a classifier module, the binary vector with one or more groups of vectors previously classified and stored in a database;
- e) as a result of the comparison, classifying the binary vector in one of the groups of previously classified vectors, where each group of vectors has associated therewith in the database a verdict about the presence of malicious software;
- f) determining, in the database, that the electronic document contains malicious software depending on the verdict associated with the group in which its associated binary vector has been classified.
-
- a client module (100) configured for receiving the electronic document; detecting an executable code in the electronic document; extracting certain information comprising the executable code and metadata of the electronic document; creating a binary vector associated with the electronic document based on certain characteristics obtained from the extracted information;
- a classifier module (200) configured for comparing the binary vector with one or more groups of previously classified vectors; as a result of the comparison, classifying the vector in one of the groups of previously classified vectors; and
- a database (400) configured for associating a verdict with each group of vectors about the presence of malicious software; and determining that the electronic document contains malicious software depending on the verdict associated with the group in which its associated vector has been classified.
-
- The presence of certain words.
- The number of times a given group of words appears.
- The number and size of the incorporated modules.
- The presence of obfuscated code. Despite the fact that obfuscation seems to make it more difficult for analyzers to know how and what the code does, it can be turned into an advantage for analyzing the obfuscation code itself. Several characteristics of the code resulting from obfuscation algorithms can share characteristics or even make it easier to determine and classify the code.
-
- Presence of reserved words, phrases, or function calls in VBA, JavaScript, or any scripting or embedded language relating to the execution of files, such as: Shell, vbNormal, vbNormalFocus, vbHide, vbMinimizedFocus, vbMaximizedFocus, vbNormalNoFocus, vbMinimizedNoFocus, WScript.Shell, Run, eval, start, open, exec, or require.
- Presence of reserved words, phrases, or function calls in VBA, JavaScript, or any scripting or embedded language relating to events such as for example: createEvent, initEvent, event, event.initEvent, element.dispatch Event, dispatch Event, element.fireEvent, fireEvent, eventType, addEventListener, or CustomEvent.
- Presence of reserved words, phrases, or function calls in VBA, JavaScript, or any scripting or embedded language relating to the open or close event, such as: AutoExec, AutoOpen, Document Open, DocumentOpen, AutoExit, AutoClose, Document Close, DocumentBeforeClose, DocumentChange, AutoNew, Document New, or NewDocument.
- Presence of reserved words, sentences, or function calls in VBA, JavaScript, or any scripting or embedded language relating to the file management such as: Environ, Open, Write, Put, Output, Print, Binary, FileCopy, or CopyFile.
- Kill, CreateTextFile, ADODB.Stream, WriteText, SaveToFile, FileReader, File, FileWriter, FileList, Blob, onload, readAsText, DirectoryReader, FileEntry/DirectoryEntry, LocalFileSystem, getFile, requestFileSystem, createWriter, moveTo, copyTo, or remove.
- Presence of reserved words, phrases, or function calls in VBA, JavaScript, or any scripting or embedded language relating to file downloading such as: URLDownloadToFileA, Msxml2.XMLHTTP, Microsoft.XMLHTTP, MSXML2.ServerXMLHTTP, or User-Agent
- Presence of reserved words, phrases, or function calls in VBA, JavaScript, or any scripting or embedded language relating to library calls.
- Number and size of the embedded macros or scripts.
- Time gap between the creation of a file or documents and the creation of the executable code.
- If obfuscated code is detected, the presence of equivalent words.
-
- storing raw code: the code is stored in raw form in the database, so analysts can train and improve classification and clustering services. Said repository allows analyzing reputation, comparisons, intelligence, and so on and so forth.
- storing vectors: it allows comparing vectors and the distance between vectors in an ultrafast and light manner. Comparing not only the vectors themselves but also the distance between the vectors in different groups allows classifying and clustering the documents anonymously.
Claims (14)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/ES2016/070908 WO2018115534A1 (en) | 2016-12-19 | 2016-12-19 | Method and system for detecting malicious programs integrated into an electronic document |
Publications (2)
Publication Number | Publication Date |
---|---|
US20200089880A1 US20200089880A1 (en) | 2020-03-19 |
US11301565B2 true US11301565B2 (en) | 2022-04-12 |
Family
ID=62624780
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/471,000 Active 2037-10-16 US11301565B2 (en) | 2016-12-19 | 2016-12-19 | Method and system for detecting malicious software integrated in an electronic document |
Country Status (4)
Country | Link |
---|---|
US (1) | US11301565B2 (en) |
EP (1) | EP3557466A4 (en) |
BR (1) | BR112019012654B1 (en) |
WO (1) | WO2018115534A1 (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018115534A1 (en) | 2016-12-19 | 2018-06-28 | Telefonica Digital España, S.L.U. | Method and system for detecting malicious programs integrated into an electronic document |
US10621349B2 (en) * | 2017-01-24 | 2020-04-14 | Cylance Inc. | Detection of malware using feature hashing |
US11178112B2 (en) * | 2019-07-23 | 2021-11-16 | Microsoft Technology Licensing, Llc | Enforcing security policies on client-side generated content in cloud application communications |
US11349865B1 (en) | 2021-02-24 | 2022-05-31 | Netskope, Inc. | Signatureless detection of malicious MS Office documents containing embedded OLE objects |
US11222112B1 (en) * | 2021-02-24 | 2022-01-11 | Netskope, Inc. | Signatureless detection of malicious MS office documents containing advanced threats in macros |
CN116305291B (en) * | 2023-05-16 | 2023-07-21 | 北京安天网络安全技术有限公司 | Office document secure storage method, device, equipment and medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100192222A1 (en) | 2009-01-23 | 2010-07-29 | Microsoft Corporation | Malware detection using multiple classifiers |
US20110247072A1 (en) * | 2008-11-03 | 2011-10-06 | Stuart Gresley Staniford | Systems and Methods for Detecting Malicious PDF Network Content |
US8695096B1 (en) | 2011-05-24 | 2014-04-08 | Palo Alto Networks, Inc. | Automatic signature generation for malicious PDF files |
WO2014089744A1 (en) | 2012-12-10 | 2014-06-19 | 华为技术有限公司 | Method and apparatus for detecting malicious code |
US20160335432A1 (en) | 2015-05-17 | 2016-11-17 | Bitdefender IPR Management Ltd. | Cascading Classifiers For Computer Security Applications |
US9852297B1 (en) * | 2015-11-04 | 2017-12-26 | Invincea, Inc. | Methods and apparatus for detecting malware samples with similar image sets |
WO2018115534A1 (en) | 2016-12-19 | 2018-06-28 | Telefonica Digital España, S.L.U. | Method and system for detecting malicious programs integrated into an electronic document |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6697950B1 (en) | 1999-12-22 | 2004-02-24 | Networks Associates Technology, Inc. | Method and apparatus for detecting a macro computer virus using static analysis |
GB2400197B (en) | 2003-04-03 | 2006-04-12 | Messagelabs Ltd | System for and method of detecting malware in macros and executable scripts |
-
2016
- 2016-12-19 WO PCT/ES2016/070908 patent/WO2018115534A1/en active Application Filing
- 2016-12-19 US US16/471,000 patent/US11301565B2/en active Active
- 2016-12-19 BR BR112019012654-6A patent/BR112019012654B1/en active IP Right Grant
- 2016-12-19 EP EP16924353.2A patent/EP3557466A4/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110247072A1 (en) * | 2008-11-03 | 2011-10-06 | Stuart Gresley Staniford | Systems and Methods for Detecting Malicious PDF Network Content |
US20100192222A1 (en) | 2009-01-23 | 2010-07-29 | Microsoft Corporation | Malware detection using multiple classifiers |
US8695096B1 (en) | 2011-05-24 | 2014-04-08 | Palo Alto Networks, Inc. | Automatic signature generation for malicious PDF files |
WO2014089744A1 (en) | 2012-12-10 | 2014-06-19 | 华为技术有限公司 | Method and apparatus for detecting malicious code |
US20160335432A1 (en) | 2015-05-17 | 2016-11-17 | Bitdefender IPR Management Ltd. | Cascading Classifiers For Computer Security Applications |
US9852297B1 (en) * | 2015-11-04 | 2017-12-26 | Invincea, Inc. | Methods and apparatus for detecting malware samples with similar image sets |
WO2018115534A1 (en) | 2016-12-19 | 2018-06-28 | Telefonica Digital España, S.L.U. | Method and system for detecting malicious programs integrated into an electronic document |
Non-Patent Citations (6)
Title |
---|
International Search Report and the Written Opinion dated Sep. 6, 2017 From the International Searching Authority Re. Application No. PCT/ES2016/070908. (15 pages). |
Nissim et al. "Detection of Malicious PDF Files and Directions for Enhancements: A State-of-the Art Survey", Computers & Security, 48: 246-266, Nov. 3, 2014. |
Pesce Document Metadata, the Silent Killer, SANS Institute InfoSec Reading Room, Sans.org, pp. 1-69, Retrieved on Aug. 4, 2017, Published on Apr. 17, 2015. |
Supplementary European Search Report and the European Search Opinion dated Jun. 18, 2020 From the European Patent Office Re. Application No. 16924353.2. (8 Pages). |
Wikipedia "Servidor de Aplicaciones", Wikipedia.org, pp. 1-2, Retrieved Aug. 4, 2015, Published on Sep. 20, 2015. |
Wikipedia Cluster Analysis, Wikipedia.org, pp. 1-16, Retrieved Aug. 4, 2017, Published on Dec. 18, 2016. |
Also Published As
Publication number | Publication date |
---|---|
BR112019012654A2 (en) | 2019-12-10 |
US20200089880A1 (en) | 2020-03-19 |
BR112019012654B1 (en) | 2023-12-19 |
WO2018115534A1 (en) | 2018-06-28 |
EP3557466A1 (en) | 2019-10-23 |
EP3557466A4 (en) | 2020-07-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11301565B2 (en) | Method and system for detecting malicious software integrated in an electronic document | |
Yakura et al. | Malware analysis of imaged binary samples by convolutional neural network with attention mechanism | |
US20180183815A1 (en) | System and method for detecting malware | |
Nissim et al. | Detection of malicious PDF files and directions for enhancements: A state-of-the art survey | |
US20190104154A1 (en) | Phishing attack detection | |
US10846403B2 (en) | Detecting malicious executable files by performing static analysis on executable files' overlay | |
Nissim et al. | Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework | |
El Boujnouni et al. | New malware detection framework based on N-grams and support vector domain description | |
US11349865B1 (en) | Signatureless detection of malicious MS Office documents containing embedded OLE objects | |
Miura et al. | Macros finder: Do you remember loveletter? | |
Song et al. | Evaluations of AI‐based malicious PowerShell detection with feature optimizations | |
Zhang et al. | Smartdetect: a smart detection scheme for malicious web shell codes via ensemble learning | |
Nagaraju et al. | Auxiliary-classifier GAN for malware analysis | |
Casino et al. | Analysis and correlation of visual evidence in campaigns of malicious office documents | |
Rasheed et al. | Adversarial attacks on featureless deep learning malicious URLs detection | |
Yousuf et al. | Windows malware detection based on static analysis with multiple features | |
Kamundala et al. | CNN Model to Classify Malware Using Image Feature | |
Mishra et al. | Vmprotector: Malign process detection for protecting virtual machines in cloud environment | |
Anjaneyulu et al. | Detection of malicious websites using machine learning approach and web vulnerability scanner | |
Anandhi et al. | Performance evaluation of deep neural network on malware detection: visual feature approach | |
Liu et al. | Malware detection method based on image analysis and generative adversarial networks | |
Falah et al. | Towards enhanced PDF maldocs detection with feature engineering: design challenges | |
Geden et al. | Classification of malware families based on runtime behaviour | |
Arul et al. | Malware detection using higher order statistical parameters | |
Habtor et al. | Machine-learning classifiers for malware detection using data features |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: TELEFONICA DIGITAL ESPANA, S.L.U., SPAIN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DE LOS SANTOS VILCHEZ, SERGIO;PEREZ GARCIA, PEDRO PABLO;TORRES VELASCO, JOSE;REEL/FRAME:051327/0305 Effective date: 20190618 |
|
AS | Assignment |
Owner name: TELEFONICA CYBERSECURITY & CLOUD TECH S.L.U., SPAIN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TELEFONICA DIGITAL ESPANA, S.L.U.;REEL/FRAME:056440/0099 Effective date: 20210524 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |